kernelthread.com

A Taste of Computer Security

© Amit Singh. All Rights Reserved. Written in August 2004


Epilogue

Realistically speaking, aberration in behavior is inescapable for almost any entity capable of "behaving". Software misbehavior is an inherent aspect of the stored-program concept, and indeed, computer systems are particularly prone to misbehaving, whether they are based on Unix, Windows, or others.

Which is the most secure platform?

An objective answer to this question could be found by looking at official security ratings. However, such a "most secure" platform would usually not be an everyday platform. Amongst everyday, general-purpose platforms, Windows NT based systems have some of the highest ratings. Thus, one of the officially most secure platforms apparently has the most security problems!

While Windows provides several powerful and flexible security mechanisms, using which effective security policies could be implemented, it is most commonly used in a security-retarding context. Windows systems have so far had relatively less secure default installations. It is not easy to configure security on Windows.

Perhaps a better question would be to ask which platform is the most secure amongst those that you can use (depending on your beliefs, needs, preferences, monetary considerations, available hardware, etc.) However, choosing a platform entirely based on its security capabilities might not be applicable in every situation. So, the answer is highly context-dependent, and largely up to you.

From an academic standpoint, the really interesting "security" to pursue is that of "an" operating system, rather than that of a particular one. Moreover, it is sometimes useful to look at the security issue from the opposite direction: instead of "adding" security, how about "removing" insecurity?

The security status of some general-purpose operating systems could be summed up as follows (please refer to previous sections for a more detailed discussion):

Why?

Ingenuity and technical acumen combine with overpowering negativity (cynicism, egotism, a will to destroy), causing digital sadism and digital mercenariness. Many underlying reasons for digital crime would be similar to those behind "regular" crimes.

In his 1984 Turing Award lecture, Ken Thompson summed the situation up in a way that is unequivocal until today:

"There is an explosive situation brewing. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison. I have watched kids testifying before Congress. It is clear that they are completely unaware of the seriousness of their acts. There is obviously a cultural gap. The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile."

Must Defend

Glamour aside, security as a mainstream field is here to stay. It is a lucrative field too, from both academic and business standpoints.

The Market Opportunity

Aspects of security (its comprehension, research, implementation, and in particular, its perception) are harder to deal with than those of an underlying operating system, the latter being more deterministic. Due to this, and popular notions about security, the field is hotter than ever: whether you want to do research in the area, or you want to create a "security company".

Computer security is sometimes regarded as a service, and as an entity that can be retrofitted into existing systems. Since you cannot re-design existing systems frequently, retrofitting is usually the only viable solution anyway. Security companies far outnumber OS companies, and perhaps security experts outnumber OS experts. Security is an extremely saleable entity too. The proliferation of computing and the success of the Internet have greatly amplified the criticality of computer security, making it a very lucrative market.

A Social Experiment

A honeypot is a system that pretends to be vulnerable, so as to attract attackers. The goal is to learn about the attackers' techniques, behavior, etc.

Quite differently from a honeypot, suppose you take a computer system connected to the Internet, and protect it such that it needs human interaction to log in (so that malicious software cannot automatically take it over). Now, you advertise the super-user password (or whatever else is needed to log in with all privileges) to the world, but request that this machine not be tampered with. However, you qualify that there are no legal implications whatsoever if somebody does log in, or even destroys the system.

How long would it be before somebody logs in? How long would it be before somebody wipes the system out?

<<< Unix vs. Windows main